Merge pull request #310 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowDomainScore.ps1

@@ -0,0 +1,25 @@
+function Get-CIPPAlertLowDomainScore {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory)]
+        $TenantFilter,
+        [Alias('input')]
+        [ValidateRange(0, 100)]
+        [int]$InputValue = 70
+    )
+
+    $DomainData = Get-CIPPDomainAnalyser -TenantFilter $TenantFilter
+    $LowScoreDomains = $DomainData | Where-Object {
+        $_.ScorePercentage -lt $InputValue -and $_.ScorePercentage -ne ''
+    } | ForEach-Object {
+        "$($_.Domain): Domain security score is $($_.ScorePercentage)%, which is below the threshold of $InputValue%. Issues: $($_.ScoreExplanation)"
+    }
+
+    if ($LowScoreDomains) {
+        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $LowScoreDomains
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecBulkLicense.ps1

@@ -0,0 +1,85 @@
+Function Invoke-ExecBulkLicense {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Identity.User.ReadWrite
+    #>
+    [CmdletBinding()]
+    param (
+        $Request,
+        $TriggerMetadata
+    )
+
+    $APIName = $TriggerMetadata.FunctionName
+    $Results = [System.Collections.Generic.List[string]]::new()
+    $StatusCode = [HttpStatusCode]::OK
+
+    try {
+        $UserRequests = $Request.Body
+        $TenantGroups = $UserRequests | Group-Object -Property tenantFilter
+
+        foreach ($TenantGroup in $TenantGroups) {
+            $TenantFilter = $TenantGroup.Name
+            $TenantRequests = $TenantGroup.Group
+            $AllUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?&`$select=id,userPrincipalName,assignedLicenses" -tenantid $TenantFilter
+            $UserLookup = @{}
+            foreach ($User in $AllUsers) {
+                $UserLookup[$User.id] = $User
+            }
+
+            # Process each user request
+            foreach ($UserRequest in $TenantRequests) {
+                try {
+                    $UserId = $UserRequest.userIds
+                    $User = $UserLookup[$UserId]
+                    $UserPrincipalName = $User.userPrincipalName
+                    $LicenseOperation = $UserRequest.LicenseOperation
+                    $RemoveAllLicenses = [bool]$UserRequest.RemoveAllLicenses
+                    $Licenses = $UserRequest.Licenses | ForEach-Object { $_.value }
+                    # Handle license operations
+                    if ($LicenseOperation -eq 'Add' -or $LicenseOperation -eq 'Replace') {
+                        $AddLicenses = $Licenses
+                    }
+
+                    if ($LicenseOperation -eq 'Remove' -and $RemoveAllLicenses) {
+                        $RemoveLicenses = $User.assignedLicenses.skuId
+                    } elseif ($LicenseOperation -eq 'Remove') {
+                        $RemoveLicenses = $Licenses
+                    } elseif ($LicenseOperation -eq 'Replace') {
+                        $RemoveReplace = $User.assignedLicenses.skuId
+                        if ($RemoveReplace) { Set-CIPPUserLicense -UserId $UserId -TenantFilter $TenantFilter -RemoveLicenses $RemoveReplace }
+                    } elseif ($RemoveAllLicenses) {
+                        $RemoveLicenses = $User.assignedLicenses.skuId
+                    }
+                    #todo: Actually build bulk support into set-cippuserlicense.
+                    $TaskResults = Set-CIPPUserLicense -UserId $UserId -TenantFilter $TenantFilter -AddLicenses $AddLicenses -RemoveLicenses $RemoveLicenses
+
+                    $Results.Add($TaskResults)
+                    Write-LogMessage -API $APIName -tenant $TenantFilter -message "Successfully processed licenses for user $UserPrincipalName" -Sev 'Info'
+                } catch {
+                    $ErrorMessage = Get-CippException -Exception $_
+                    $Results.Add("Failed to process licenses for user $($UserRequest.userIds). Error: $($ErrorMessage.NormalizedError)")
+                    Write-LogMessage -API $APIName -tenant $TenantFilter -message "Failed to process licenses for user $($UserRequest.userIds). Error: $($ErrorMessage.NormalizedError)" -Sev 'Error' -LogData $ErrorMessage
+                }
+            }
+        }
+
+        $Body = @{
+            Results = @($Results)
+        }
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        $StatusCode = [HttpStatusCode]::BadRequest
+        $Body = @{
+            Results = @("Failed to process bulk license operation: $($ErrorMessage.NormalizedError)")
+        }
+        Write-LogMessage -API $APIName -message "Failed to process bulk license operation: $($ErrorMessage.NormalizedError)" -Sev 'Error' -LogData $ErrorMessage
+    }
+
+    # Return response
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = $Body
+        })
+}

Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1

@@ -134,6 +134,14 @@ function New-CIPPCAPolicy {
                 if ($location.countriesAndRegions) { $location.countriesAndRegions = @($location.countriesAndRegions) }
                 $Body = ConvertTo-Json -InputObject $Location
                 $GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -body $body -Type POST -tenantid $tenantfilter -asApp $true
+                $retryCount = 0
+                do {
+                    Write-Host "Checking for location $($GraphRequest.id) attempt $retryCount. $TenantFilter"
+                    $LocationRequest = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -tenantid $tenantfilter -asApp $true | Where-Object -Property id -EQ $GraphRequest.id
+                    Write-Host "LocationRequest: $($LocationRequest.id)"
+                    Start-Sleep -Seconds 2
+                    $retryCount++
+                } while ((!$LocationRequest -or !$LocationRequest.id) -and ($retryCount -lt 5))
                 Write-LogMessage -Headers $User -API $APINAME -message "Created new Named Location: $($location.displayName)" -Sev 'Info'
                 [pscustomobject]@{
                     id   = $GraphRequest.id
@@ -236,8 +244,7 @@ function New-CIPPCAPolicy {
         } else {
             Write-Information 'Creating'
             if ($JSONobj.GrantControls.authenticationStrength.policyType -or $JSONObj.$jsonobj.LocationInfo) {
-                #quick fix for if the policy isn't available
-                Start-Sleep 1
+                Start-Sleep 3
             }
             $null = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $tenantfilter -type POST -body $RawJSON -asApp $true
             Write-LogMessage -Headers $User -API $APINAME -tenant $($Tenant) -message "Added Conditional Access Policy $($JSONObj.Displayname)" -Sev 'Info'

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingVerification.ps1

@@ -0,0 +1,77 @@
+function Invoke-CIPPStandardTeamsMeetingVerification {
+    <#
+    .FUNCTIONALITY
+        Internal
+    .COMPONENT
+        (APIName) TeamsMeetingVerification
+    .SYNOPSIS
+        (Label) Meeting Verification (ReCaptcha) for Teams
+    .DESCRIPTION
+        (Helptext) Configures the CAPTCHA verification for external users joining Teams meetings. This helps prevent unauthorized AI notetakers and bots from joining meetings.
+        (DocsDescription) Configures the CAPTCHA verification for external users joining Teams meetings. This helps prevent unauthorized AI notetakers and bots from joining meetings. When enabled, external users from untrusted organizations or anonymous users will need to complete a CAPTCHA verification before joining meetings.
+    .NOTES
+        CAT
+            Teams Standards
+        TAG
+        ADDEDCOMPONENT
+            {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsMeetingVerification.CaptchaVerificationForMeetingJoin","label":"CAPTCHA verification for meeting join","options":[{"label":"Not Required","value":"NotRequired"},{"label":"Anonymous Users and Untrusted Organizations","value":"AnonymousUsersAndUntrustedOrganizations"}]}
+        IMPACT
+            Low Impact
+        ADDEDDATE
+            2025-06-14
+        POWERSHELLEQUIVALENT
+            Set-CsTeamsMeetingPolicy -Identity Global -CaptchaVerificationForMeetingJoin AnonymousUsersAndUntrustedOrganizations
+        RECOMMENDEDBY
+            "Microsoft"
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/list-standards
+    .LINK
+        https://learn.microsoft.com/en-us/microsoftteams/join-verification-check
+    #>
+    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsMeetingVerification'
+
+    param($Tenant, $Settings)
+    $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsMeetingPolicy' -CmdParams @{Identity = 'Global' } | Select-Object CaptchaVerificationForMeetingJoin
+    $CaptchaVerificationForMeetingJoin = $Settings.CaptchaVerificationForMeetingJoin.value ?? $Settings.CaptchaVerificationForMeetingJoin
+    $StateIsCorrect = ($CurrentState.CaptchaVerificationForMeetingJoin -eq $CaptchaVerificationForMeetingJoin)
+
+    if ($Settings.remediate -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Meeting Verification Policy already set.' -sev Info
+        } else {
+            $cmdParams = @{
+                Identity                         = 'Global'
+                CaptchaVerificationForMeetingJoin = $CaptchaVerificationForMeetingJoin
+            }
+
+            try {
+                New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsMeetingPolicy' -CmdParams $cmdParams
+                Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Teams Meeting Verification Policy' -sev Info
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams Meeting Verification Policy. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+            }
+        }
+    }
+
+    if ($Settings.alert -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Meeting Verification Policy is set correctly.' -sev Info
+        } else {
+            Write-StandardsAlert -message 'Teams Meeting Verification Policy is not set correctly.' -object $CurrentState -tenant $Tenant -standardName 'TeamsMeetingVerification' -standardId $Settings.standardId
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Meeting Verification Policy is not set correctly.' -sev Info
+        }
+    }
+
+    if ($Settings.report -eq $true) {
+        if ($StateIsCorrect) {
+            $FieldValue = $true
+        } else {
+            $FieldValue = $CurrentState
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.TeamsMeetingVerification' -FieldValue $FieldValue -Tenant $Tenant
+        Add-CIPPBPAField -FieldName 'TeamsMeetingVerification' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+    }
+}